Firefox Update Comes With a Mea Culpa

Mozilla is pushing out an update to its Firefox Web browser (version 2.0.0.6) that plugs a pair of security holes in the software. Firefox users should receive notice of the pending update the next time they launch the browser. (If you don't get a prompt to update to 2.0.0.6, chances are you're using a really old version of Firefox and need to upgrade to the latest by visiting this link.)

More than a week ago, Security Fix covered a spat between Microsoft and Mozilla over which company was responsible for vulnerabilities that forced the latter to issue a previous update. Mozilla pointed the finger at Microsoft, claiming that hackers could leverage weaknesses in Microsoft's Internet Explorer Web browser to trick Firefox into opening the door for viruses and Trojan horse programs.

While Microsoft has indicated it is not prepared to issue any sort of update to correct this problem on its end (doing so may involve some serious work and impact a number of Windows applications going back through many versions of Windows), Mozilla has since backpedaled from its earlier offensive stance. Window Snyder, Mozilla's head of security strategy, writes:

"On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data. Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application. We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5."

Those interested can read more about the second vulnerability patched in this release at these twolinks.

In the off chance that anyone was wondering about the dormancy of Security Fix over this past week, I was vacationing in a remote region of the Adirondacks, a place where black bears and bald eagles seem to be more plentiful than Wi-Fi hotspots or places where one's cellphone works.